Hearing device with communication protection and related method

ABSTRACT

A hearing device includes: a processing unit configured to compensate for hearing loss of a user of the hearing device; and an interface; wherein the processing unit is configured to: receive a session request for a session via the interface, obtain and store a session key, encrypt the session key based on a hearing device key, send a session response comprising the encrypted session key, and receive session data in the session via the interface.

RELATED APPLICATION DATA

This application claims priority to and the benefit of Danish Patent Application No. PA 2014 70779 filed on Dec. 12, 2014, pending, and European Patent Application No. 14197823.9 filed on Dec. 12, 2014, pending. The entire disclosures of both of the above applications are expressly incorporated by reference herein.

FIELD

The present disclosure relates to a hearing device with communication protection and related method, and in particular to a hearing device for communicating securely with accessory devices/systems and related method.

BACKGROUND

The functionality of a hearing device becomes increasingly advanced. Wireless communication between a hearing device and external devices, such as hearing device fitting apparatus, tablets, smart phones and remote controllers, has evolved. A wireless communication interface of a hearing device uses open standard-based interface. However, this poses many challenges in terms of security. A hearing device may assume any incoming data as legitimate, and may allow memory to be written or changed by an unauthorized party. Any such attacks may result in a malfunction of the hearing aid, or a battery exhaustion attack.

However, a hearing device is a very small device with strict constraints in terms of computational power, memory space etc. Off-the-shelf security algorithms and protocols cannot be readily functional on a hearing device.

SUMMARY

There is a need for a hearing device with reduced risk of a third party accessing any part of the hearing device.

Disclosed is a hearing device comprising a processing unit configured to compensate for hearing loss of a user of the hearing device. The hearing device comprises a memory unit and an interface. The processing unit is configured to receive a session request for a session via the interface; obtain and/or store a session key; and encrypt the session key, e.g. based on a hearing device key. The processing unit is configured to send a session response, e.g. comprising the encrypted session key; and receive session data in the session via the interface.

Also disclosed is a method for communication with a hearing device comprising a processing unit, a memory unit, and an interface. The method comprises receiving a session request for a session via the interface; obtaining and/or storing a session key, e.g. in the memory unit; and encrypting the session key, e.g. based on a hearing device key. The method comprises sending the encrypted session key; and receiving session data in the session via the interface.

The method and hearing device as disclosed provide secure access control to the hearing device, such as secure access to the memory of the hearing device. It is an advantage of the present disclosure that the hearing device is able to filter out un-desired (e.g. unauthorized) communication at a session initiation and thus not unnecessarily consume power to communicate with undesired parties. The disclosed hearing device thus has the advantage of detecting any modification by unauthorized parties. The hearing device disclosed herein is advantageously protected against attacks such as spoofing attacks, man-in-the-middle attacks, and/or replay-attacks.

A hearing device includes: a processing unit configured to compensate for hearing loss of a user of the hearing device; and an interface; wherein the processing unit is configured to: receive a session request for a session via the interface, obtain and store a session key, encrypt the session key based on a hearing device key, send a session response comprising the encrypted session key, and receive session data in the session via the interface.

Optionally, the processing unit is configured to verify an integrity of the session data.

Optionally, the processing unit is configured to terminate the session if the integrity of the session data is corrupted.

Optionally, the session data comprises a message authentication code, and wherein the processing unit is configured to verify the integrity of the session data by verifying the message authentication code with the stored session key.

Optionally, the session data comprises a digital signature, and wherein the processing unit is configured to verify the integrity of the session data by verifying the digital signature.

Optionally, the hearing device further includes a memory unit, and wherein the processing unit is configured to: decrypt the session data with the session key, and store at least a part of the decrypted session data in the memory unit.

Optionally, the processing unit is configured to terminate the session if decryption of the session data fails.

Optionally, the session data comprises fitting data, hearing device operating parameters, and/or firmware data.

Optionally, the processing unit is configured to compensate for the hearing loss of the user of the hearing aid according to the received session data.

Optionally, the session key is a symmetric key.

Optionally, the processing unit is configured to obtain the session key by generating a random or pseudo-random number with a number generator contained in the hearing device.

Optionally, the hearing device key is a symmetric key or a public key of a private-public key pair.

Optionally, the processing unit is configured to send a hearing device identifier in the session response.

Optionally, the hearing device key is stored in a permanent memory of the hearing device.

A method for communication with a hearing device comprising a processing unit and an interface, the method includes: receiving a session request for a session via the interface; obtaining and storing a session key; encrypting the session key based on a hearing device key; sending a session response comprising the encrypted session key; and receiving session data in the session via the interface.

Optionally, the method further includes verifying an integrity of the session data.

Optionally, the method further includes terminating the session if the integrity of the session data is corrupted.

Optionally, the method further includes: decrypting the session data with the session key; and storing at least a part of the decrypted session data in a memory unit of the hearing device.

Other features and embodiments will be described below in the detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other features and advantages will become readily apparent to those skilled in the art by the following detailed description of exemplary embodiments thereof with reference to the attached drawings, in which:

FIG. 1 schematically illustrates an exemplary architecture according to this disclosure,

FIG. 2 schematically illustrates an exemplary hearing device,

FIG. 3A schematically illustrates an exemplary signalling diagram,

FIG. 3B schematically illustrates an exemplary signalling diagram, and

FIG. 4 schematically illustrates a flowchart of an exemplary method.

DETAILED DESCRIPTION

Various embodiments are described hereinafter with reference to the figures. Like reference numerals refer to like elements throughout. Like elements will, thus, not be described in detail with respect to the description of each figure. It should also be noted that the figures are only intended to facilitate the description of the embodiments. They are not intended as an exhaustive description of the claimed invention or as a limitation on the scope of the claimed invention. In addition, an illustrated embodiment needs not have all the aspects or advantages shown. An aspect or an advantage described in conjunction with a particular embodiment is not necessarily limited to that embodiment and can be practiced in any other embodiments even if not so illustrated, or if not so explicitly described. Throughout, the same reference numerals are used for identical or corresponding parts.

It is an object of the present disclosure is to provide a hearing device, and a method which seeks to mitigate, alleviate, or eliminate one or more of the above-identified deficiencies in the art and disadvantages singly or in any combination.

The present disclosure relates to improved security of a hearing device. Security comprise in assessing threats, vulnerabilities and attacks and developing appropriate safeguards and countermeasures to protect against threats and attacks. The present disclosure relates to a hearing device comprising a processing unit configured to compensate for hearing loss of a user of the hearing device.

The hearing device may comprise a processing unit, a memory unit and an interface. The interface may comprise a wireless transceiver, e.g. configured for wireless communication at frequencies in the range from 2.4 to 2.5 GHz.

The processing unit is configured to receive a session request for a session via the interface. The processing unit may be configured to verify the session request, such as authenticate the sender of the session request, e.g. a client device or a server device. It may envisaged that the hearing device and the sender of the session request have pre-established authenticated connection which thus permits the session request to be authenticated by the hearing device. The session request may comprise a digital signature enabling authentication of the session request.

In one or more exemplary hearing devices, the session request comprises a digital signature. The processing unit may be configured to verify integrity of the session request, e.g. by verifying the digital signature. For example, a verifier of the processing unit may be configured to verify the digital signature. The processing unit 202 verifies the digital signature using a signature verification function and a public key of a sender that has generated the digital signature and included the digital signature in the session request. If the hearing device/processing unit determines that the digital signature is not successfully verified using the alleged public key of a sender, the hearing device disregards the session request and terminates the session. This may provide the advantage that the hearing device rejects session requests from unauthenticated parties, thereby reducing the risk of or limit the effects of a battery exhaustion attack

The hearing device may be paired with a sender of the session request prior to receipt of the session request. In the pairing, the hearing device and the sending/client device may have exchanged one or more of hearing device identifier, sender identifier, session key/identifier, etc.

The processing unit is configured to obtain and/or store a session key; and encrypt the session key, optionally based on a hearing device key. The session key may be a symmetric key. A symmetric session key may provide a lightweight processing of the security algorithms on the processing unit, such as lightweight encryption, lightweight decryption, lightweight integrity protection, etc.

The processing unit is configured to obtain the session key, and to obtain the session key may comprise to generate the session key, e.g. as a random or pseudo-random number. Thus the hearing device and/or the processing unit may comprise a number generator, e.g. configured to generate a random or pseudo-random number. By using a unique session key or session key from a large number of available session keys, the processing power requirements in the hearing device may be reduced. Further, simple encryption is facilitated and replay-attacks are prevented.

The hearing device key may be a symmetric key or a public key of a private-public key pair. The hearing device key may be stored in a permanent memory of the hearing device, e.g. during manufacture or during a fitting session.

The processing unit is configured to send a session response in response to the session request. The session response may comprise the encrypted session key. The session response may comprise a hearing device identifier and/or the session key. Thus, the processing unit may be configured to send a hearing device identifier and/or the session key in the session response. A session response comprising a hearing device identifier may enable the sender of the session request to obtain the hearing device key, either from a database or by requesting the hearing device key from the manufacturer, which in turn enables the sender of the session request to decrypt the session key and use the session key when sending session data to the hearing device.

The hearing device disclosed herein has the advantage of verifying integrity of received data, detecting any alteration and disregard altered data. The hearing device disclosed herein has the advantage to open a session only with authenticated parties, such as an authenticated fitting device, an authenticated accessory device, an authenticated external devices and/or an authenticated server.

The processing unit is configured to receive session data in the session via the interface. The processing unit may be configured to verify integrity of the session data. The session data may comprise a message authentication code. To verify integrity of the session data may comprise to verify the message authentication code, e.g. with the stored session key. The session data may comprise a digital signature. To verify integrity of the session data may comprise verifying the digital signature.

The processing unit may be configured to terminate the session if integrity of the session data is corrupted, i.e. verification of the integrity fails.

The processing unit may be configured to decrypt the session data with the session key. The processing unit may be configured to store at least part of decrypted session data in the memory unit. The processing unit may be configured to terminate the session if decryption of the session data fails. The session data may comprise fitting data, hearing device operating parameters, and/or firmware data.

The processing unit may be configured to compensate for hearing loss of a user of the hearing aid according to the received session data. Thus, a sender of the session request may control operation of the hearing device, either by sending fitting data, hearing device operating parameters, and/or firmware data. The disclosed hearing device and method prevents unauthorized access or control of a hearing device

As used herein, the term “hearing device” refers to a device configured to assist a user in hearing a sound, such as a hearing instrument, a hearing aid device, a headset, a pair of headphones, etc.

FIG. 1 schematically illustrates an exemplary architecture 100 according to this disclosure. The architecture 100 comprises a hearing device 101, a client device 110, and a server device 111. The client device 110 may comprise a computing device acting as a client, such as a fitting device, a handheld device, a relay, a tablet, a personal computer, a mobile phone, and/or USB dongle plugged in a personal computer. The server device 111 may comprise a computing device configured to act as a server, i.e. to serve requests from the client device 110 and/or from the hearing device 101. The server device 111 may be controlled by the hearing device manufacturer.

The hearing device 101 may be connected to the client device 110 via a communication link 113, such as a bidirectional communication link and/or a wireless communication link. The wireless communication link may be carried over a short-range communication system, such as Bluetooth, Bluetooth low energy, IEEE 802.11, Zigbee. The hearing device 101 may be connected to the client device 110 over a network. The client device 110 may permit remote fitting of the hearing aid device where a dispenser connects to the hearing device via the client device 110 of the user.

The hearing device 101 may be connected to the server device 111 via a communication link 114 over a network 114 a, such as a bidirectional and/or wireless communication link over a network. The client device 110 may be connected to the server device 111 via a communication link 112 over a network 112 a, such as a bidirectional and/or wireless communication link over a network.

FIG. 2 schematically illustrates an exemplary hearing device 101. The exemplary hearing device 101 comprises a processing unit 202 configured to compensate for hearing loss of a user of the hearing device 101.

The exemplary hearing device 101 comprises a memory unit 203 and an interface 204 respectively connected to the processing unit 202. The processing unit 202 is configured to receive a session request for a session via the interface 204. Hence, the processing unit 202 comprises a receive/send unit 205 configured to send and/or receive via the interface 204. The receive/send unit 205 is configured to send and receive via the interface 204 to/from an external device, such as a server device, a client device, a fitting device, an accessory, a relay device, a smart phone, a tablet. The processing unit 202 is configured to obtain and store a session key. Hence, the processing unit 202 may comprise an obtainer 206 configured to obtain and/or generate the session key and to store the session key in e.g. the memory unit 203. To obtain the session key may comprise to generate a random or pseudo-random number with the number generator 210 contained in the hearing device 101. The processing unit 202 may comprise a random number generator 210. The session key obtained may be a 128-bits random or pseudo-random number, a 192-bits random or pseudo-random number, a 256-bits random or pseudo-random number, or any other bit-size random or pseudo-random number. The session key may be obtained so as to be compliant with an encryption standard such as Advanced Encryption Standard, AES, RSA crypto-system, Triple Data Encryption Algorithm, TDEA, Elliptic Curve Cryptographic system, any other encryption system. The session key may be uniquely generated for each session, using e.g. the number generator 210. This provides robustness against e.g. replay attacks.

The processing unit 202 is configured to encrypt the session key based on a hearing device key. Hence, the processing unit 202 may comprise an encrypt/decrypt unit 207. The processing unit 202 is configured to send a session response comprising the encrypted session key, for example by using the receive/send unit 205 and the interface 204. The processing unit 202 is configured to receive session data in the session via the interface 204, for example by using the receive/send unit 205 and the interface 204. The processing unit 202 receives the session data in the session from an external device, such as a client device 110 and/or a server device 111.

In one or more exemplary hearing devices, the processing unit 202 is configured to verify integrity of the session data. Thus, the processing unit 202 may comprise a verifier 208. For example, the processing unit 202 is configured to determine whether the integrity of the session data is corrupted, i.e. whether the session data has been tampered with or modified by an unauthorized party. The processing unit 202 detects e.g. an insertion, a deletion, and/or a substitution of data by an unauthorized party, such as by any party other than the sender.

In one or more exemplary hearing devices, the processing unit 202 is configured to terminate the session if integrity of the session data is corrupted. Thus, the processing unit 202 may comprise a terminator 209. For example, when it is determined by the processing unit 202 or the verifier 208 that the session data has been tampered with or modified (by e.g. insertion, deletion and/or substitution) by an unauthorized party, The processing unit 202 reject the received session data, and the terminator 209 or the processing unit 202 terminates the session with e.g. an external device. Terminating the session comprises deleting the session key from e.g. the memory unit 203. Deleting the session key protects the hearing device 101 against any replay attack or any attack based on any communication captured by an attacker.

In one or more exemplary hearing devices, the session data comprises a message authentication code, and the processing unit 202 verifying integrity of the session data is configured to verify the message authentication code with the stored session key. Thus, the verifier 208 is configured to verify the message authentication code with the stored session key. A message authentication code, MAC, is generated by a sender, such as an external device, based on the session data and the decrypted session key. Upon reception of the session data comprising the MAC, the hearing device which holds the stored session key is able to re-compute the MAC based on the received session data and a MAC generation function and compare the recomputed MAC with the received MAC. If the recomputed MAC does not match the received MAC, then the hearing device concludes that session data is corrupted. The hearing device disregards the session data and terminates the session. For example the processing unit 202 disregards the session data and terminates the session using the terminator 208.

In one or more exemplary hearing devices, the session data comprises a digital signature. The processing unit 202 verifying integrity of the session data is configured to verify the digital signature. For example, the verifier 208 is configured to verify the digital signature. The processing unit 202 verifies the digital signature using a signature verification function and a public key of a sender that has generated the digital signature and appended it to the session data. If the processing unit 202 determines that the digital signature is not successfully verified using the alleged public key of a sender, the processing unit 202 disregards the session data and terminates the session. This may provide the advantage that the hearing device 101 rejects session data tampered or received from unauthenticated parties and is thus robust against impersonation and masquerading attacks.

In one or more exemplary hearing devices, the processing unit 202 is configured to decrypt the session data with the session key, and to store at least part of decrypted session data in the memory unit 203. A client device 110 or a server device 111 may send encrypted session data to the hearing device 101. The processing unit 202 receives the encrypted session data via the receive/send unit 205 and the interface 204. The processing unit 202 retrieves the session key from e.g. the memory unit 203, and decrypts the session data using the retrieved session key and a decryption function. The processing unit 202 stores the decrypted session data in the memory unit 203. The processing unit 202 is configured to terminate the session if decryption of the session data fails. The decryption of the session data may fail if the session data is encrypted with a key different from the session key stored at the hearing device 101. This may provide the advantage that the hearing device 101 rejects session data received from parties not holding the session key and is thus robust against attacks based on such illegitimate data.

In one or more exemplary hearing devices, the session data comprises fitting data, hearing device operating parameters, and/or firmware data. Fitting data may for example be data generated by a fitting device used by a dispenser when a hearing device is being fitted in a user's ear. Fitting data may comprise hearing loss parameters, compressor parameters, filter coefficients, and/or gain coefficients. Hearing device operation parameters may comprise volume control parameters, mode and/or program control parameters. Firmware may refer to a computer program provided by the hearing device manufacturer, and to be installed on the hearing device to control the hearing device. Firmware is for example to be installed to upgrade the operations and capabilities of the hearing device.

In one or more exemplary hearing devices, the processing unit 202 is configured to compensate for hearing loss of a user of the hearing aid according to the received session data. The processing unit 202 may perform the hearing loss compensation based on the fitting data.

In one or more exemplary hearing devices, the session key comprises a symmetric key. The symmetric key may be uniquely generated for each session, using e.g. the number generator 210. The symmetric key may comprise an AES-128 bits key. The use of a symmetric key as a session key may reduce a processing power requirement, and allow the hearing device 101 to decrypt the session data with light encryption algorithms.

In one or more exemplary hearing devices, the hearing device key is a symmetric key or a public key of a private-public key pair. The hearing device key may comprise an AES-128 bits key as a symmetric key. The use of a symmetric as a hearing device key provides the advantage of being able to use hardware accelerators. The hearing device key may comprise a public key of a private-public key pair, such as a public key of a private-public key pair of an authorized discloser of the session key, such as of a server 111.

In one or more exemplary hearing devices, the processing unit 202 is configured to send a hearing device identifier in the session response. The hearing device identifier may refer to a unique device identifier. The hearing device identifier may comprise a hardware number, a serial number, a MAC address. The session response may comprise the encrypted session key and the hearing device identifier. The processing unit 202 is configured to send a hearing device identifier in the session response to an external device such as the client device 110 or to the server device 111. The hearing device key may be stored in a permanent memory, such as memory unit 203 of the hearing device 101 during production of the hearing device 101.

The hearing device comprises a microphone 214 for receiving a sound signal and converting it into converted sound signal. The converted sound signal may be an electrical and digital version of the sound signal. The processing unit is configured to receive and process the converted sound signal into a processed sound signal according to a hearing loss of a user of the hearing device. The processed sound signal may be compressed and/or amplified or the like. The hearing device further comprises an output transducer/loudspeaker, known as a receiver 216. The receiver 216 is configured to receive the processed sound signal and convert it to an output sound signal for reception by an eardrum of the user.

FIG. 3A shows an exemplary signalling diagram 300 between a hearing device 101, and a client device 110. The hearing device 101 receives a session request 301 for a session via the interface 204 from the client device 110. The hearing device 101 obtains and stores a session key. The hearing device 101 encrypts the session key based on a hearing device key. The hearing device 101 sends to the client device 110 a session response 302 comprising the encrypted session key. The hearing device 101 may alternatively send to the client device 110 a session response 302 encrypted with the hearing device key, the session response 302 comprising the session key. The client device 110 receiving the session response 302 may request 304 the server device 111 to decrypt the encrypted session key comprised in the session response 302, or to decrypt the encrypted session response 302. Based on the request 304, the server device 111 may send the decrypted session key in a response 305 to the client device 110. This may be when the hearing device key used at the hearing device 101 is a public key of a private-public key pair of the server 101. When the hearing device key is a symmetric key, the server device 111 may send the decrypted session key in a response 305 to the client device 110 or send the hearing device key in the response 305 to the client device 110 which is then capable of decrypting the session key or the session response 302. The response 305 may comprise the decrypted session key or the hearing device key. The communication link 112 between the client device 110 and the server device 111 is secure, i.e. authenticated, encrypted and/or integrity protected using a security protocol (e.g. Transport Layer Security protocol). The hearing device 101 receives from the client device 110 session data 303 in the session via the interface 204. The session data 303 may then be encrypted and/or integrity-protected at the client device 110, e.g by use of the session key. In one or more exemplary hearing devices, the processing unit 202 is configured to verify integrity of the session data as described earlier in connection with FIG. 2. The session data 303 may comprise a message authentication code. A message authentication code, MAC, is generated by a sender, such as a client device/server device, based on the session data and the decrypted session key. Upon reception of the session data comprising the MAC, the hearing device which holds the stored session key is able to re-compute the MAC based on the received session data and a MAC generation function and compare the recomputed MAC with the received MAC. If the recomputed MAC does not match the received MAC, then the hearing device concludes that session data is corrupted. The hearing device disregards the session data and terminates the session. For example the processing unit 202 disregards the session data and terminates the session using the terminator 208.

FIG. 3B shows an exemplary signalling diagram 310 between a hearing device 101, a client 110, and a server device 111. The hearing device 101 receives a session request 311 for a session via the interface 204 from the server device 111. The hearing device 101 obtains and stores a session key. The hearing device 101 encrypts the session key based on a hearing device key. The hearing device 101 sends to the server device 111 a session response 312 comprising the encrypted session key. The hearing device 101 may alternatively send to the server device 111 a session response 312 encrypted with the hearing device key, the session response 312 comprising the session key. The server device 111 may decrypt the encrypted session key comprised in the session response 312, or the encrypted session response 312. The communication link 112 between the hearing device 101 and the server device 111 may be over the client device 110 and/or over a network. The communication link 112 between the hearing device 101 and the server device 111 may or may not be secure, i.e. authenticated, encrypted and/or integrity protected using a security protocol. The hearing device 101 receives from the server device 111 session data 313 in the session via the interface 204. The session data 313 may then be encrypted and/or integrity-protected at the server device 111.

FIG. 4 schematically illustrates a flowchart 400 of an exemplary method according to this disclosure. The method 400 is proposed for communication of a hearing device 101 comprising a processing unit 202, a memory unit 203, and an interface 204, such as for protecting communication of a hearing device with e.g. an external device (client device and/or server device and/or accessory equipment). The method 400 is performed in the hearing device 101. The method 400 comprises receiving S1 a session request for a session via the interface 204. Receiving S1 may comprise receiving a session request from an external device, such as the client device 110 and/or the server device 111.

The method 400 comprises obtaining and storing S2 a session key, such as in a memory unit 203. Obtaining and storing S2 a session key, such as in a memory unit 203 may comprise generating a random or pseudo-random number with the number generator 210 contained in the hearing device 101. Obtaining and storing S2 a session key may comprise generating a 128-bits random or pseudo-random number, a 192-bits random or pseudo-random number, a 256-bits random or pseudo-random number, or any other bit-size random or pseudo-random number.

The method 400 comprises encrypting S3 the session key based on a hearing device key. Encrypting S3 the session key based on a hearing device key may comprise using an encryption standard such as Advanced Encryption Standard, AES, RSA crypto-system, Triple Data Encryption Algorithm, TDEA, Elliptic Curve Cryptographic system, any other encryption system.

The method 400 comprises sending S4 a session response comprising the encrypted session key, and receiving S5 session data in the session via the interface. Sending S4 a session response comprising the encrypted session key may comprise sending the session response to a client device 110 and/or a server device 111. Receiving S5 session data in the session via the interface 204 may comprise receiving session data from a client device 110 and/or a server device 111.

In one or more exemplary methods, the method 400 comprises verifying S6 integrity of the session data. Verifying S6 integrity of the session data may comprise determining whether the integrity of the session data is corrupted, i.e. determining whether the session data has been tampered with or modified by an unauthorized party. Verifying S6 integrity of the session data may comprise detecting e.g. an insertion, a deletion, and/or a substitution of data by an unauthorized party, such as by any party other than the legitimate sender. Verifying S6 integrity of the session data may comprise verifying a message authentication code appended to the session data (e.g. using the stored session key) and/or a digital signature appended to the session data. When it is determined that the integrity of the session data is not corrupted, then the hearing device 101 may grant access to reading and/or writing memory areas to the external device. For example, the session data or hearing device data derived therefrom may be written in the memory unit 203.

The method 400 comprises terminating S7 the session if integrity of the session data is corrupted. For example, if it is determined that the session data has been tampered with or modified (by e.g. insertion, deletion and/or substitution) by an unauthorized party, terminating S7 comprises rejecting the received session data, and terminating the session with e.g. an external device. Terminating S7 may comprise deleting the session key from e.g. the memory unit 203.

In one or more exemplary methods, the method 400 comprises decrypting S8 the session data with the session key, and storing S9 at least part of decrypted session data in the memory unit. Decrypting S8 the session data with the session key may comprise retrieving the session key from e.g. the memory unit 203, and decrypts the session data using the retrieved session key and a decryption function.

Although particular features have been shown and described, it will be understood that they are not intended to limit the claimed invention, and it will be made obvious to those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the claimed invention. The specification and drawings are, accordingly to be regarded in an illustrative rather than restrictive sense. The claimed invention is intended to cover all alternatives, modifications and equivalents.

LIST OF REFERENCES

-   -   100 architecture     -   101 hearing device     -   111 server device     -   112 communication link between client device and server device     -   112 a communication network     -   113 communication link between client device and hearing device     -   114 communication link between server device and hearing device     -   114 a communication network     -   202 processing unit     -   203 memory unit     -   204 interface     -   205 receive/send unit     -   206 obtainer     -   207 encrypt/decrypt unit     -   208 verifier     -   209 terminator     -   210 number generator     -   214 microphone     -   216 receiver     -   300 signalling diagram     -   301 session request     -   302 session response     -   303 session data     -   304 request     -   305 response     -   310 signalling diagram     -   311 session request     -   312 session response     -   313 session data     -   400 method 

The invention claimed is:
 1. A hearing device comprising: a processing unit configured to compensate for hearing loss of a user of the hearing device; and an interface; wherein the processing unit is configured to: receive a session request for a session via the interface, obtain and store a session key, encrypt the session key based on a hearing device key, send a session response comprising the encrypted session key, and receive session data in the session via the interface; wherein the hearing device key is stored in a permanent memory of the hearing device.
 2. The hearing device according to claim 1, wherein the processing unit is configured to verify an integrity of the session data.
 3. The hearing device according to claim 2, wherein the processing unit is configured to terminate the session if the integrity of the session data is corrupted.
 4. The hearing device according to claim 2, wherein the session data comprises a message authentication code, and wherein the processing unit is configured to verify the integrity of the session data by verifying the message authentication code with the stored session key.
 5. The hearing device according to claim 2, wherein the session data comprises a digital signature, and wherein the processing unit is configured to verify the integrity of the session data by verifying the digital signature.
 6. The hearing device according to claim 1, further comprising a memory unit, and wherein the processing unit is configured to: decrypt the session data with the session key, and store at least a part of the decrypted session data in the memory unit.
 7. The hearing device according to claim 6, wherein the processing unit is configured to terminate the session if decryption of the session data fails.
 8. The hearing device according to claim 1, wherein the session data comprises fitting data, hearing device operating parameters, and/or firmware data.
 9. The hearing device according to claim 1, wherein the processing unit is configured to compensate for the hearing loss of the user of the hearing aid according to the received session data.
 10. The hearing device according to claim 1, wherein the session key is a symmetric key.
 11. The hearing device according to claim 1, wherein the processing unit is configured to obtain the session key by generating a random or pseudo-random number with a number generator contained in the hearing device.
 12. The hearing device according to claim 1, wherein the hearing device key is a symmetric key or a public key of a private-public key pair.
 13. The hearing device according to claim 1, wherein the processing unit is configured to send a hearing device identifier in the session response.
 14. A method for communication with a hearing device comprising a processing unit and an interface, the method comprising: receiving a session request for a session via the interface; obtaining and storing a session key; encrypting the session key based on a hearing device key, wherein the hearing device key is stored in a permanent memory of the hearing device; sending a session response comprising the encrypted session key; and receiving session data in the session via the interface.
 15. The method according to claim 14, further comprising verifying an integrity of the session data.
 16. The method according to claim 15, further comprising terminating the session if the integrity of the session data is corrupted.
 17. The method according to claim 14, further comprising: decrypting the session data with the session key; and storing at least a part of the decrypted session data in a memory unit of the hearing device. 